1. Field of the Invention
This invention relates generally to the field of network communication systems and, more particularly to security systems for use with network communication systems.
2. Related Art
A set of inter-connected computer networks that spans a relatively large geographical area is called a wide area network (WAN). Typically, a WAN consists of two or more local-area networks (LANs). Computers connected to a WAN are often connected through public networks, such as the telephone system. They can also be connected through leased lines or satellites. The largest WAN in existence is the Internet.
The Internet is a public, world-wide WAN defined by the IP (Internet Protocol) suite of protocols, which has in recent years gone from being a tool used primarily in scientific and military fields to become an important part of the missions of a wide variety of organizations. Organizations often run one or more LANs and connect their LANs to the Internet to share information with the cyber world in general, and with other organization-run LANS that may be remotely located. However, along with providing new levels of connectivity and sources of information, connection to the Internet or to a private WAN has brought security risks in the form of adversaries seeking to disrupt or infiltrate the organization""s mission by interfering with or monitoring the organizations"" networks.
Several security devices that exist today are designed to keep external adversaries from obtaining access to a LAN. Firewalls, for example, protect the LAN against unauthorized access by allowing only communications data (commonly called datagrams or xe2x80x9cpacketsxe2x80x9d) from known machines to pass. This is accomplished by monitoring network IP addresses on these packets, which correspond uniquely to a particular machine, and TCP service ports, which usually map into a specific type of software application such as mail, ftp, http and the like. The firewall then determines whether to allow or disallow entry of the packet into the LAN as it deems appropriate.
Virtual Private Network (VPN) and other Internet Protocol Security (IPsec) devices protect against unauthorized interception of transmitted data by encrypting the entire packet. For example, a VPN (in tunnel mode) wraps outgoing datagrams with its own header and sends the encrypted packet to a destination VPN. A limitation of VPNs, however, is that adversaries can determine where the VPN devices are located in the network, since each VPN has a specific IP address. Accordingly, a VPN does not hide its location in the network, and is therefore vulnerable to an attack once its location is known. Similarly, other security technology, such as configured routers, Secure Socket Layer (SSL) and host-based Internet Protocol Security (IPsec) fail to obscure the location of nodes inside a network.
Although prior art techniques are generally good for their intended purposes, they do not address the problem of detecting intrusion attempts against the network. To alert against possible intrusion attempts, network administrators have turned to intrusion detection sensing (IDS) technology. IDS technology is used to ascertain the level of adversary activity on the LAN and to monitor the effectiveness of other security devices, such as those discussed above. IDS products work by looking for patterns of known attack, including network probes, specific sequences of packets representing attacks (called known intrusion patterns, or KIPs), and the like. An administrator uses IDS technology primarily to determine the occurrence of any adversarial activity, information useful in evaluating the effectiveness of current security technology and justifying additional commitment to network security.
In addition to protecting transmitted data, an organization may wish to prevent unauthorized parties from knowing the topology of their LANs. Existing security techniques do not completely secure a network from adversaries who employ traffic mapping analysis. Data packets exchanged across networks carry not only critical application data, but also contain information that can be used to identify machines involved in the transactions.
Today""s sophisticated adversaries employ network-level xe2x80x9csniffersxe2x80x9d to passively monitor freely transmitted network traffic and thereby gather critical network topology information, including the identities of machines sending and receiving data and the intermediate security devices that forward the data. The sophisticated adversary can use this identity information to map internal network topologies and identify critical elements such as: roles of the servers, clients and security devices on the network, classes of data associated with specific servers, and relative mission importance of specific machines based on network traffic load. The adversary can then use this network map information to plan a well-structured, network-based attack.
Recently, a network security technique has been developed that addresses this problem by concealing the identities of machines and topology in the LAN. The technology was developed by the assignee of the present application, and is described in U.S. patent application Ser. No. 09/594,100, pending, entitled Method and Apparatus for Dynamic Mapping and hereby incorporated by reference. The Dynamic Mapping technique hides machine identities on IP data packets by translating source and destination addresses just prior to transmitting them over the Internet. When packets arrive at an authorized destination, a receiving device programmed with the Dynamic Mapping technique restores the source and destination addresses (according to a negotiated scheme) and forwards the packets to the appropriate host on its LAN.
While the Dynamic Mapping technique represents a significant advancement in the field of network security, a fundamental limitation of the technique is that it is a time-based, fixed-key system, i.e., all packets matching a given destination address are consistently translated, or mapped, to a fixed xe2x80x9cotherxe2x80x9d destination address for a given interval of time. When that time interval expires, the mapping is changed to something else. Thus, the time-based nature of the technique requires strict synchronization between endpoints, and can make operations difficult.
Besides the operational difficulties with a time-based system, the length of each translation time interval is sufficient for an adversary to extrapolate information from observed communications, even though observed addresses are false. Furthermore, adversaries are able to enact active attacks by sending forged packets to the false addresses knowing that they will reach their true destination. A further limitation is that the Dynamic Mapping technique was designed as a fixed-association security system, requiring fixed keys to be established between the client and server. This effectively binds clients to a specific server, limiting the flexibility of the system and preventing autonomous negotiations with other servers.
There exists, therefore, a great need for a method of concealing the identities of LAN machines and topology that takes an entirely fresh approach, departs from the time-dependant systems of the past, and provides a security technique that is more robust and more difficult to defeat. The technique should ideally allow for construction of network access devices, such as routers, that offer the benefits of Dynamic Mapping to protect an enclave of computers. In addition, these devices should be flexible enough to be self-discovering, able to negotiate mapping parameters with one another on a need-based, authorized basis.
While as a general matter the need exists to confuse adversaries and dissuade them from attempting to uncover network topology, there is also a need for a technique that will entice a potential adversary into making such an attempt. This may be advantageous since it would enable the network to identify which adversaries are interested in learning about the network.
In view of the above, it is an object of the present invention to provide a method of translating packets in a manner that would entice a would-be adversary to try to ping the network to learn its topology, while hiding the true host source and destination addresses.
In accordance with one preferred embodiment, translation of packet information is performed such that the apparent host source address in the header of each packet emanating from a local area network, or enclave, is an arbitrary address, and one that changes every predetermined number of packets. Such translation makes it appear to an outside observer that the packets are originating from various ones of hosts, the addresses for which do not relate to actual hosts in the source enclave.
Another embodiment of the present invention is an apparatus for processing packets to be transferred from a local area network (LAN) to a wide area network (WAN). The apparatus includes means for intercepting packets originating from a host on the LAN, the packets being destined for transmission over the WAN. This apparatus further includes means for extracting bits from predetermined fields from each packet header to form one or more blocks for translation, masking means for masking bits from the one or more blocks that vary rapidly packet to packet, means for applying a predetermined encryption algorithm to the one or more blocks after masking by the masking means, and means for reinserting bits from the translated block back into the packet header.
Another embodiment of the present invention is a method for processing packets to be transferred from a local area network (LAN) to a wide area network (WAN). This method includes intercepting packets originating from a host on the LAN, the packets being destined for transmission over the WAN. The method further includes extracting bits from predetermined fields from each packet header to form one or more blocks for translation, masking bits from the one or more blocks that vary rapidly packet to packet, applying a predetermined encryption algorithm to translate the one or more blocks after masking at the masking step, and reinserting bits from the translated block back into the packet header.
Yet another embodiment of the present invention is a bastion host for a local area network (LAN) adapted for processing packets to be transferred from the LAN to a wide area network (WAN). The bastion host is operable to intercept packets originating from a host on the LAN, the packets being destined for transmission over the WAN. The bastion host if further operable to extract bits from predetermined fields from each packet header to form one or more blocks for translation, mask bits from the one or more blocks that vary rapidly packet to packet, apply a predetermined encryption algorithm to translate the one or more blocks after masking, and reinsert bits from the translated block back into the packet header.
Another embodiment of the present invention is a system for securely transmitting, on a wide area network (WAN), packets between at least a first enclave local area network (LAN) and a second enclave LAN. The system includes a source host in the first enclave LAN, the source host sending packets destined for transmission over the WAN to a receiving host on the second enclave LAN. The system further includes a source bastion host associated with the first enclave LAN. The source bastion host is operable to intercept packets originating from the source host and destined for the receiving host, extract bits from predetermined fields from each packet header to form one or more blocks for translation, mask bits from the one or more blocks that vary rapidly packet to packet, apply a predetermined encryption algorithm to translate the one or more blocks after masking, and reinsert bits from the translated block back into the packet header, and transmit the packet on the WAN. The system further includes a receiving bastion host associated with the second enclave LAN. The receiving bastion host is operable to receive the packets including the translated blocks, apply a decryption algorithm, associated with the predetermined encryption algorithm, to the translated blocks and pass the decrypted packets on to the receiving host. The system further includes the receiving host.
Yet another embodiment of the present invention is a computer-readable medium storing code which, when executed by a processor-controlled apparatus, causes the apparatus to perform a method for processing packets to be transferred from a local area network (LAN) to a wide area network (WAN). The method includes intercepting packets originating from a host on the LAN, the packets being destined for transmission over the WAN. The method further includes extracting bits from predetermined fields from each packet header to form one or more blocks for translation, masking bits from the one or more blocks that vary rapidly packet to packet, applying a predetermined encryption algorithm to translate the one or more blocks after masking at the masking step, and reinserting bits from the translated block back into the packet header.
The invention will next be described in connection with certain exemplary embodiments; however, it should be clear to those skilled in the art that various modifications, additions and subtractions can be made without departing from the spirit or scope of the claims.